[koha-commits] main Koha release repository branch master updated. v3.18.00-14-g5bdf460
Git repo owner
gitmaster at git.koha-community.org
Thu Dec 11 16:13:44 CET 2014
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "main Koha release repository".
The branch, master has been updated
via 5bdf4601df1de15387fe8a3c43e526e811a3c39f (commit)
from ae550b8328d24cd104c2040ac4c569c0b8405194 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 5bdf4601df1de15387fe8a3c43e526e811a3c39f
Author: Chris Cormack <chrisc at catalyst.net.nz>
Date: Wed Dec 10 12:47:30 2014 +1300
Bug 13425 - XSS in opac facets - Patch for master and 3.18
To Test
1/ Craft a url like /cgi-bin/koha/opac-search.pl?q=123&sort_by='"><script>prompt('Happy_Holidays')</script>&limit=123
It is important it must return results and facets
2/ Notice the js is executed
3/ Apply the patch test again
Signed-off-by: Mirko Tietgen <mirko at abunchofthings.net>
Popup is gone after applying the patch. Facet link still shows it but does not execute. It's gone after clicking the link.
Signed-off-by: Jonathan Druart <jonathan.druart at biblibre.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen at gmail.com>
-----------------------------------------------------------------------
Summary of changes:
koha-tmpl/opac-tmpl/bootstrap/en/includes/opac-facets.inc | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
hooks/post-receive
--
main Koha release repository
More information about the koha-commits
mailing list